[Lognorm] Memory Leak in liblognorm?

Champ Clark III cclark at quadrantsec.com
Fri Jul 12 22:05:27 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll have to run on a different box,  as this machine (for whatever
reason) doesn't play well with valgrind.  I'll do that from a Ubuntu
VM ASAP.

If you get a chance,  can you glance and the code and see if I'm
blatantly and improperly cleaning up incorrectly?

I'll let you know the results from valgrind ASAP.


On 7/12/13 4:02 PM, Rainer Gerhards wrote:
> Can you run it under valgrind and tell what it says at end of run?
> 
> Sent from phone, thus brief.
> 
> Am 12.07.2013 22:00 schrieb "Champ Clark III"
> <cclark at quadrantsec.com <mailto:cclark at quadrantsec.com>>:
> 
> 
> Hello All!
> 
> I've got either a memory leak in liblognorm _or_ I'm not doing 
> something correctly.   In Sagan,  we have "processors" that do log 
> analysis using other techniques besides "rules".  As part of this 
> process,  liblognorm is used pretty heavily.
> 
> In the Sagan processor,  if I turn on liblognorm,  Sagan slowly
> starts to consume memory.  However,  if I tell the processor not to
> use liblognorm,  the memory stays consistent.
> 
> My thoughts are that I'm not either clean up after using
> liblognorm correctly or liblognorm has a slow memory leak.
> 
> My slightly mangled debug/Sagan code is at:
> 
> https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c
> 
> I think the problem is in the sagan_normalize_liblognorm()
> function. Near the end,  I've tried various ways to clean up, but
> with no affect.  (ee_deleteEvent(), free(), etc)
> 
> Any ideas would be greatly appreciated.
> 
> 
> _______________________________________________ Lognorm mailing
> list Lognorm at lists.adiscon.com <mailto:Lognorm at lists.adiscon.com> 
> http://lists.adiscon.net/mailman/listinfo/lognorm
> 
> 
> 
> _______________________________________________ Lognorm mailing
> list Lognorm at lists.adiscon.com 
> http://lists.adiscon.net/mailman/listinfo/lognorm
> 

- -- 
- - Champ Clark III (cclark at quadrantsec.com)
  Quadrant Information Security (http://quadrantsec.com)
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR4GGHAAoJENnmXt7Lmc3K4oMH+wRHHkchFSsVgSx/CRZ33Ae3
YAxqJNVKwNNkiS6wRKnMJp+odoV804VxxRzotSEFGHu3Tiz59p9cEPYf9SUK6hve
zWONr3TdeCHkOaXZweeOZT5LK+Q+acehjIZp3314WFgm+NAfJ7Ms6fX/VC4qi/Yh
MgFPlBjYjqYz4xAQRFvS3LtzU7U0mA+FXhT0LpchvfyDMKkSLmhJ+I3S+7qLExJo
YnmI5Bt5laIVc4KAC8rzC/uKLuLRdaXbxrNUTqCZebLDdwJ040Llg267MdAZBiDR
5kQXXqH3a6tykebosydtZUxbp5OrXUVoVmOBZrGQYsQs4bb6P8YLKNtlRImADLA=
=x/xI
-----END PGP SIGNATURE-----

More information about the Lognorm mailing list